This breach makes so much sense now...Take a look at the excellent paper by the
folks at ebanking security "Why eBanking is Bad for your Bank Balance:
http://www.ebankingsecurity.com/ebanking_bad_for_your_bank_balance.pdf
Basically they talk about PINS and Passwords, and conclude how useless the
authentication methods are if you assume the client machine has already been
compromised.
Roger Franks, Security Manager
Middle East Advertising - AlClick | http://www.middleeastadvertising.com
Dubai, United Arab Emirates | Tel:(9714) 319 7575, Fax: (9714) 319 7573
-----Original Message-----
From: Kim Dyer [mailto:dyer@msu.edu]
Sent: Thursday, March 10, 2005 3:19 PM
To: webappsec@securityfocus.com
Subject: RE: Web security breach changes the lives of 119 people
Chances are that nobody at Harvard Business School or ApplyYourself Inc.
bothered to contemplate the most obvious scenario: that somebody other
than the 119 accused, or their friends and family, was responsible for
the majority of (or all of) the attempts to access application records.
Actually, every report I've heard on this incident says that they Specifically
DID consider that.
What information of a personal nature would have been required in order
to access the pending application?
Passwords and or PINs from what I've been reading.
Perhaps it
was possible to browse any one of the pending applications once one had
penetrated the ApplyYourself Inc. security perimeter.
The reports I've seen said that you could only see the one application if you
saw anything. I guess the majority just got a blank screen.
This is more likely than is the scenario as it has been depicted.
You don't think it likely people would want to sneak a peek if they thought they
could? That's pretty much just human nature.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
